Self-hosting Behind Starlink with IPv6#
What Starlink Gives You#
Starlink gives you two public IPv6 networks:
- A
/64for the WAN. This is for the router’s external side. If you use Bypass Mode, your third-party router assigns this on its WAN port. - A
/56for the LAN. Your internal IPv6 range. You can break it into 256 separate/64subnets for your home network.
Below are Wireshark captures between my Starlink router and UniFi router. These packets are sent using IPv6 multicast addresses.
How the /64 is delivered#
The /64 prefix is delivered by an ICMPv6 Router Advertisement. Your router then uses SLAAC to build its host IPv6 address based on its MAC.
ICMPv6 Router Advertisement
ICMPv6 Option (Prefix information : 2406:2d40:4000:186b::/64)
Type: Prefix information (3)
Prefix Length: 64
Reserved
Prefix: 2406:2d40:4000:186b::How the /56 is delivered#
The /56 prefix is delivered through a DHCPv6 Prefix Delegation Reply. Rather than giving you one /64, Starlink delegates a /56. Your router can then break this into 256 /64 subnets for your home.
DHCPv6 Reply
DHCPv6
Identity Association for Prefix Delegation
IA Prefix
Option: IA Prefix (26)
Prefix length: 56
Prefix address: 2406:2d40:400b:cd00::Before exposing services directly to the internet over IPv6, consider what you’re hosting. A public web server is better served behind Cloudflare, which hides your real IP and adds DDoS protection. Whatever you host, put it in a dedicated VLAN and treat it as a DMZ. Firewall it off from the rest of your network so a compromise there can’t reach your other devices.
UniFi Express 7 Router Setup#
Step 1: Configure the WAN#
Site Manager > Site > Settings > Internet > Select WAN > IPv6 Configuration
DHCPv6 Prefix Delegation works with either SLAAC or DHCPv6. I use SLAAC so the router can also generate a WAN address from the /64 advertised in the ICMPv6 RA.
You can set the PD size to /56 if you have problems, though the ICMPv6 RA already specifies it.
Step 2: Configure the LAN#
Now that IPv6 is enabled on the WAN, set up the LAN side.
Site Manager > Site > Settings > Networks > Select LAN > Protocol IPv6
Go to your private LAN networks and enable IPv6 PD. Set the PD interface to your WAN, since that’s where the DHCPv6 Prefix Delegation is received from. The router takes the /56 and assigns each LAN a /64, starting at 00 and incrementing for each new network. You can’t customize these yet, but UniFi plans to add that in a future release.
Delegated prefix: 2406:2d40:400b:cd00::/56
Each network:
2406:2d40:400b:cd00::/64
2406:2d40:400b:cd01::/64
2406:2d40:400b:cd02::/64
...That’s it. Your router gets a public IPv6 address, and every LAN gets its own public /64.
Windows network settings will show a public IPv6 address assigned to the machine. That is the address you would use to reach it from anywhere in the world. The only remaining step is to adjust the firewall rules on the router.
UniFi Express 7 Firewall#
Since each subnet has its own public IPv6 network and devices use SLAAC to generate their own public addresses, every device becomes globally reachable. This makes your firewall the only line of defense.
Site Manager > Site > Settings > Policy Engine > Traffic & Firewall Rules > Internet v6 rules
By default, only established traffic that originates from your network is allowed back in. To let the internet reach a specific device, you need to create an explicit rule for it.
This guide uses the older firewall that applies rules per interface and direction. If you're using the newer zone-based firewall, you'll need to adjust accordingly.
Creating the rule#
Click Create Entry. In this example I’m allowing port 80 to one IPv6 address. Give the rule a name and specify the destination port and IP.
You’ll need a network list for these entries. A network list is an object that holds IP addresses or port numbers. Instead of typing the same IP or port into multiple firewall rules, you put it into a network list once and then reference it in your rules. It keeps things organized and prevents duplicate entries.
Create a new address group list and port list. Give it any name you want. The important part is the IP address or port you put inside it.
Add whichever device you want to make accessible from the internet to this rule. You can allow all traffic or only specific ports. The choice is yours.
The addresses in the screenshots are examples only. Your IPv6 addresses will be different. I'm using placeholder values for privacy.
Testing the Website#
I set up a web server that uses the IPv6 address from the example above, then tested it from my LTE smartphone so the traffic came from outside my network.
To reach the site, enter the IPv6 address in your browser, but place it in brackets. IPv6 addresses contain colons, so the brackets tell the browser where the address stops and the port begins.
[2406:2d40:400b:cd00:1234:1234:1234:1234]:80Success.
IPv4 Note#
IPv4 on Starlink is unusable for hosting because of carrier-grade NAT (CGNAT). You’re behind two layers of NAT. Your device gets a normal private IP (e.g. 192.168.0.0/24), and Starlink assigns your router a second private IP (e.g. 10.64.0.0/10) instead of a real public IPv4 address.
Starlink does this because there aren’t enough public IPv4 addresses to give every customer. CGNAT lets them stretch a single public IPv4 address across many users.
The good news is that Starlink fully supports IPv6. With IPv6, there’s no NAT, no port forwarding, and every device on your network can have its own public IP address. That means you can self-host services.
The Starlink router is limited and lacks advanced features, so I put it in Bypass Mode and use the UniFi Express 7 as my main router. The LAN port of the Starlink router connects directly to the WAN port on the UniFi Express 7. This tutorial is based on that setup, so adjust the steps as needed for your own router.
At the time of this writing, I’m using UniFi Network 9.5 for the GUI. The router GUI might change over time so adjust as needed.